1 Model checking and equivalence checking

Transcription

1 Practical Design Verification Model checking and equivalence checking Masahiro Fujita. Introduction Owing to the advances in semiconductor technology, a large and complex system that has a wide variety of functionalities has een integrated on a single chip. It is called system-on-a-chip (SoC) or system LSI, since all of the components in an electronics system are uilt on a single chip. Designs of SoCs are highly complicated and require many manpower-consuming processes. As a result, it has ecome increasingly difficult to identify all the design ugs in such a large and complex system efore the chips are faricated. In current designs, the verification time to check whether or not a design is correct can take 8 percent or more of the overall design time. Therefore, the development of verification techniques in each level of astraction is indispensale. Logic simulation is a widely used technique for the verification of a design. It simulates the output values for given input patterns. However, ecause the quality of simulation results deeply depends on given input patterns, there is a possiility that there exist design ugs that cannot e identified during logic simulation. Because the numer of required input patterns is exponentially increased when the size of a design is increased, it is clearly impossile to verify the overall design completely y logic simulation. To solve this prolem, the development of formal verification techniques is essential. In formal verification, specification and design are translated into mathematical models. Formal verification techniques verify a design y proving its correctness with mathematical reasoning, and, therefore, they can verify the overall design exhaustively. Since formal verification is a mathematical reasoning process and logic circuits compute Boolean functions, it is realized on top of asic Boolean reasoning techniques, such as inary decision diagrams (BDDs), Boolean satisfiaility checking methods (so-called SAT methods), and automatic test-pattern generation techniques (ATPG) for manufacturing test fields. The performance of formal verification methods relies heavily on the performance of these techniques. Figure. shows an overview of a formal verification flow. In formal verification, oth specification and design descriptions are translated into mathematical models using front-end tools. Finite state machines, temporal logic, Boolean functions, and so on, are used as mathematical models. After mathematical models are otained, they are analyzed Practical Design Verification, eds. Dhiraj K. Pradhan and Ian G. Harris. Pulished y Camridge University Press. ª Camridge University Press 29.

2 Practical Design Verification 2 M. Fujita Spec Design Front-end tool Mathematical models Finite state machine Temporal logic Boolean function Other logic expressions Verification engines Binary decision diagram (BDD) Satisfiaility check (SAT) Automatic test-pattern generation (ATPG) Figure. Formal verification of design descriptions using BDD and SAT methods. Formal verification is equivalent to simulating all the cases in logic simulation. If there exists a design ug, formal verification techniques produce a counter-example to support deugging processes. There are asically two prolems in the verification of designs: model checking and equivalence checking. Model checking (or property checking) verifies whether a design satisfies the properties given as its specification. The performance of model checking has drastically improved in recent years, mainly owing to the significant progress of SATased efficient implementations. Equivalence checking verifies whether two given designs are equivalent or not. Equivalence checking can e applied to two designs in the same design level or in two different design levels. Depending on the types of equivalence definitions, equivalence checking can e made only on cominational parts of the circuits or on oth cominational and sequential parts of the designs. In particular, the former type of equivalence checking has ecome very practical, and very large designs, such as those with more than million gates, can e formally verified in a couple of hours. In the actual design flow from highly astracted design stages down to implementation levels, model checking is applied to each design level to ensure correct functionality, and equivalence checking is applied to any two different design levels so that correctness of the designs can e estalished. In this chapter, I first riefly review the Boolean reasoning techniques, BDD, SAT, and ATPG methods, in Section.2. Property checking and equivalence checking techniques are presented in Sections.3 and.4 respectively. In Section.5, formal verification techniques used in design levels higher than RTL are discussed..2 Techniques for Boolean reasoning In this section, I introduce three Boolean reasoning techniques, BDD, SAT, and ATPG techniques, which are the ases of formal verification methods. The performance of

3 Practical Design Verification Model checking and equivalence checking 3 x x 2 x 2 x 3 x 4 x 5 x 3 x x 2 x 2 x 3 Figure.2 A inary decision tree representation of a Boolean function and its corresponding inary decision diagram (BDD) formal verification methods fully relies on the performance of these techniques. In recent years SAT and ATPG methods, especially their program implementations, have een drastically improved, which make it feasile to verify real-life designs formally within reasonale time..2. Binary decision diagrams (BDDs) Reduced ordered inary decision diagrams (ROBDDs), simply called BDDs, are a canonical representation for Boolean functions. For many Boolean functions of practical interest in VLSI designs, BDDs provide a sustantially more compact representation than other traditional alternatives, such as truth tales, sum-of-products (SOP) forms, or conjunctive normal form representations. Further, there exist efficient algorithms to manipulate BDDs. Thus, BDDs and their variants have ecome widely used in various areas of digital system design, including logic synthesis and formal verification of systems that can e represented in finite state machines. Binary decision diagrams represent the Boolean function as a directed acyclic graph. Let us first consider inary decision trees, an example of which appears on the left-hand side of Fig..2, for the majority function, f(x,x 2,x 3 ) ¼ (x ^x 2 ) (x 2^x 3 ) (x ^x 3 ). The inary decision tree is a rooted directed tree with two kinds of node, terminal nodes and nonterminal nodes. Each non-terminal node v is laeled with a variale var(v) and has two successors, hi(v) and lo(v), corresponding to the cases when var(v) is set to and, respectively. The edge connecting v and hi(v), shown as a solid line (lo(v) is shown as a dashed line), is laeled with (). Each terminal node (leaf node of the tree) is laeled y the Boolean value or. Each truth assignment to the variales of the function has a one-to-one correspondence to a path in the tree from the root to a terminal node. This path can e traversed y starting with the root node and taking the edge corresponding to the truth value of the variale laeling the current node. The value laeling the terminal node is the value of the function under this truth assignment. This representation is, however, fairly redundant. For example, the su-trees corresponding to the assignment (x ¼, x 2 ¼ ) and (x ¼, x 2 ¼ ) are isomorphic, and the vertex that corresponds to (x ¼, x 2 ¼ ) is redundant, since oth assignments to x 3 at this point have the same consequence. ^ ^

4 Practical Design Verification 4 M. Fujita A BDD could e otained for a given Boolean function y essentially placing two restrictions on its inary decision tree representation. The first restriction imposed is a total order < on the variales laeling the vertices, such that for any vertex u in the diagram, if u has a non-terminal successor v, then var(u) < var(v). The second set of restrictions involves merging isomorphic su-trees and removing redundant vertices y repeatedly applying the following three reduction rules until no further application is possile... Remove duplicate terminals Eliminate all ut one terminal vertex with a given lael and redirect all arcs going to the eliminated vertices into the remaining vertex. 2.. Remove duplicate non-terminals If two non-terminal vertices u and v have var(u) ¼ var(v), lo(u) ¼ lo(v), and hi(u) ¼ hi(v), then eliminate one of u or v and redirect all incoming arcs to the eliminated vertex to the one that remains. 3.. Remove redundant tests If a non-terminal vertex v has hi(v) ¼ lo(v), then eliminate v and redirect all its incoming arcs to hi(v). The resulting representation is a BDD. Figure.2 shows an example. The graph on the right-hand side is a BDD corresponding to the inary decision tree of the majority function, shown on the left-hand side in the figure. Binary decision diagram representations are canonical that is, two BDDs for a given Boolean function under a given variale ordering are isomorphic. [] Because of this the equivalence of two Boolean functions can e simply checked y a graph isomorphism check on their respective BDD representations. A function is a tautology if and only if it is isomorphic to the trivial BDD corresponding to a single terminal vertex and satisfiale if and only if it is not isomorphic to the trivial BDD represented y a single terminal vertex. A function is independent of a variale x if and only if there is no vertex laeled with x in its BDD. The size of a BDD representation is critically dependent on its variale order. Figure.3 shows two different BDD representations for the comparator function. The one on the left side uses the ordering a < a 2 < < 2, while the one on the right uses the order a < < a 2 < 2. More generally, for an n-it comparator, the ordering a <...<a n < <...< n yields a BDD with 3 2 n vertices, while the ordering a < <...< a n < n gives a BDD of size 3n þ 2. Thus, the size characteristics of the a a a 2 a 2 a Figure.3 An example of how variale ordering can affect the size of an ROBDD

5 Practical Design Verification Model checking and equivalence checking 5 BDD can change from linear asymptotic growth to exponential asymptotic growth y altering the variale ordering strategy. In general, finding the optimal BDD variale order for a given function is a hard prolem. Specifically, checking that a given variale order is optimal for a given function is an NP-complete prolem. [2] Some classes of Boolean function are particularly difficult cases for BDDs, since any variale order results in a BDD with exponential complexity. The Boolean functions for the middle two outputs of an n-it integer multiplier are one such example. [3] The optimal variale order is, however, typically not necessary in order to effectively use BDDs. In practice, we need a variale order that keeps the BDD representations within reasonale limits so that suitale algorithms can manipulate them using the availale computer power. In fact, many functions encountered in practical applications do have reasonaly compact BDD representations. Moreover, efficient heuristics for BDD variale ordering have een developed that keep BDD sizes in check. One class of variale-ordering heuristics uses domain-specific knowledge to effect a good ordering. For example, if the Boolean function represents a logic gate network, then a depth-first traversal on the network graph can provide a good ordering. [4,5] Another technique, called dynamic reordering or sifting, [6] is an orthogonal approach, which is used when a domain-specific or constructive ordering algorithm is not availale for the functions eing manipulated. The technique simply performs a sequence of local reordering moves with the aim of reducing BDD size. It does this on a periodic asis to keep BDD sizes smaller and has often proved to e quite effective in practice. One operation that is central to the construction, representation, and manipulation of BDDs is the restriction or co-factoring operation. A restriction or co-factor of f is the function that results when some variale x of f is set to a constant value k ( or ), denoted as f x¼k or alternatively as f x for x ¼ and f x for x ¼. Given the two co-factors of a function, it can e expressed using the following identity, known as Shannon s expansion: f ¼ x f x þx f x. The manipulation of BDDs that is, performing logical operations on functions represented as BDDs is done using a single universal operation called the ite (if-thenelse) operator (which internally makes use of the restriction operation). [7] The ite operator is a ternary operator, akin in functionality to a multiplexor (mux) in hardware or the if-then-else construct availale in programming languages. It realizes the function expressed as iteðf ; g; hþ ¼f g þ f h, where f, g, and h are Boolean functions (possily non-unique) represented as BDDs. In particular, ite can e used to implement any two-variale logic function, such as f g ¼ iteðf ; g; gþ and f g ¼ iteðf ; ; gþ. Figure.4 shows the algorithm used to implement the ite operator for BDDs. It is a recursive algorithm where the leaves (terminal cases) of the recursion are degenerate cases of the ite operator for which precomputed and stored solutions are sustituted, such as ite(,f,g) ¼ ite(,g,f) and f ite(f,g,g) ¼ g. During the course of the algorithm, the BDD eing generated may not remain fully reduced and canonical owing to the addition of new nodes, R. The reduce() function in the figure refers to the application of the reduction rules discussed earlier. In practical BDD packages, the need for this

6 Practical Design Verification 6 M. Fujita ite(f,g,h) { if (terminal case) { return computed-result; } else { // general case let e the top variale of (f,g,h); ~ f ite(f,g,h ) ~ f ite(f,g,h ) R = new node laeled y R.hi ~ f R.low g ~ reduce(r) return R; Figure.4 Algorithm to implement the ite operator reduce() operation is oviated y maintaining hash tales of oth unique BDD nodes and previous ite calls. New ite calls, as well as new BDD nodes (R) created through them, are looked up against these hash tales efore initiating new ones, therey dynamically maintaining and growing a reduced-ordered BDD..2.2 Boolean satisfiaility checker The Boolean satisfiaility (SAT) prolem is a well-known constraint satisfaction prolem, with many applications in the fields of VLSI computer-aided designs and artificial intelligence fields. Given a propositional formula u, the Boolean satisfiaility prolem posed on u is to determine whether there exists a variale assignment under which u evaluates to true. Such an assignment, if one exists, is called a satisfying assignment for u, and u is called satisfiale. Otherwise, u is said to e unsatisfiale. The SAT prolem is known to e NP-complete. [8] However, in recent years, there have een tremendous advancements in SAT technology, making SAT solvers a viale option for solving many real-world prolems. Most SAT solvers use a conjunctive normal form (CNF) representation of the propositional formula. A CNF formula consists of a conjunction of clauses, each of which is a disjunction of literals, and a literal is a variale or its negation. For example ða þ þ cþða þ cþða þ þ cþ is a propositional formula in CNF over the variales a,, and c. It is composed of a conjunction of three clauses. The clause ða þ þ cþ is one of the clauses, a disjunction of literals a,, and c. Note that for a CNF formula to e satisfied, each of its clauses must e satisfied that is, evaluate to true. Thereexist polynomial algorithms to transform an aritrary propositional formula into a satisfiaility equivalent CNF formula, which is satisfiale if and only if the original formula is satisfiale. Most modern SAT solvers are ased on the Davis Putnam Logemann Loveland (DPLL) procedure. [9,] The DPLL algorithm essentially performs a

7 Practical Design Verification Model checking and equivalence checking 7 sat-solve() if preprocess() = CONFLICT then return UNSAT while TRUE do if not decide-next-ranch() then return SAT; while deduce() = CONFLICT do level analyze-conflict(); if level = then return UNSAT; acktrack (level); done; done; Figure.5 A generalized DPLL algorithm ranch-and-ound search over the space of possile Boolean assignments of the variales of the given propositional formula. It is a sound and complete algorithm that is, it finds a satisfying assignment if and only if the given formula is satisfiale. Figure.5 shows the asic processing flow of the DPLL algorithm. This form provides a suitale framework for illustrating the advanced features of modern DPLL-ased SAT solvers. The first operation in the algorithm is a set of preprocessing steps (preprocess()) during which it may e discovered that the formula is unsatisfiale. If this is not the case, the algorithm enters the outermost loop, which consists of choosing an unassigned variale and assigning to it a value that has not een explored earlier (decide-next-ranch()). If no such variale exists, the current partial assignment is a satisfying assignment for the formula. Otherwise, the variale assignments deducile from the current assignments are applied (deduce()) using a procedure known as Boolean constraint propagation (BCP). This consists of an iterated application of the unit clause rule, which is applied on unit clauses that is, clauses with all ut one literal assigned to false and the last literal unassigned. The unit clause rule asserts the last unassigned literal of each unit clause as true, since the other assignment represents a search path that cannot lead to a satisfying assignment. A conflict occurs when a variale is asserted as true as well as false. If BCP does not lead to a conflict, the decide-next-ranch() loop is repeated y choosing further unassigned variales and values. However, in the event of a conflict, the search acktracks (acktrack()) y undoing a certain numer of decisions and their BCP implied assignments, ased on an analysis of the conflict y analyze-conflict(). If all decisions need to e undone (i.e., the acktrack-level level is ), the formula is deemed unsatisfiale, since the entire search space has een exhausted. The original DPLL algorithm used chronological acktracking that is, it would acktrack up to the most recent decision, for which the other value of the variale had not een tried. However, modern SAT solvers use conflict analysis techniques (shown as (analyze-conflict) in the figure) to analyze the reasons for a conflict. Conflict analysis is used to perform conflict-driven learning and conflict-driven acktracking, which were incorporated independently in the GRASP [] and rel-sat [2] SAT

8 Practical Design Verification 8 M. Fujita solvers. Conflict-driven learning consists of adding conflict clauses to the formula, to avoid the same conflict in the future. Conflict-driven acktracking allows nonchronological acktracking that is, up to the closest decision that caused the conflict. These techniques greatly improve the performance of the SAT solver on structured prolems. The conflict analysis is realized using implication graphs, [,3] which capture the current state of the SAT solver. Many other advances have een made in developing the asic components that comprise the DPLL-ased SAT solver: the decision engine (heuristics for choosing decision variales and values); the deduction engine (data structures and heuristics for performing BCP and detecting conflicts); and the diagnosis engine (heuristics for conflict-driven learning). [4] An interesting property of CNF representations was first exploited y Zhang in the SATO SAT solver [5] to improve the performance of BCP. It proposed the use of head and tail pointers to point to non-false literals in the list representation of a clause, and maintained the strong invariant that all literals efore the head pointer, and all literals after the tail pointer, are false. Clearly, detection of a unit clause during BCP ecomes easy that is, when the head and tail pointers coincide on an unassigned literal. The main advantage is that the clause status is updated only when either of the head or tail literals is assigned a false value during BCP. In particular, this eliminates an update when any of the other literals in the clause is assigned a value. When the head or tail literal is assigned a false value during BCP, the associated pointer needs to e moved to another non-false literal, if it exists. This is facilitated y the strong invariant. However, during acktracking, the head or tail pointers may need to e moved ack again, to maintain the strong invariant. A different trade-off was proposed in the Chaff SAT solver. [6] Its BCP scheme, known as two literal watching with lazy update, is also ased on tracking only two literals per clause during BCP. However, Chaff maintains a weak invariant, wherey the two watched literals are required to e non-false, ut there is no ordering requirement with respect to other false literals. Again, detection of a unit clause during BCP is easily performed y checking whether oth watched pointers coincide, and whether clause updates on assignment to other literals are eliminated. Most of the modern-day SAT solvers incorporate the advanced techniques for conflict-ased learning, ranching heuristics, and efficient BCP descried aove as well as efficient data structures and extremely well-tuned implementations to exploit their algorithmic power fully. With these advancements, SAT solvers can now analyze formulas of up to a million variales and three to four million clauses in a few hours of runtime. Of course, these figures hold for only fairly structured SAT instances derived from certain classes of real-world prolems..2.3 Automatic test-pattern generation (ATPG) techniques Automatic test-pattern generation (ATPG) is the process of generating a suite of test vectors that can e used for the purposes of testing a manufactured circuit for manufacturing faults. Manufacturing faults are physical defects introduced into the integrated circuit (IC), during the manufacturing process, which result in its incorrect

9 Practical Design Verification Model checking and equivalence checking 9 Primary inputs Justify S S a X Propagate Primary outputs Figure.6 ATPG process for a single stuck-at- fault a d f c e Figure.7 An example of implication and learning from circuits operation. The fault we consider here is one that causes a signal to e permanently stuck at a logical value or (or a defect that can, for all practical purposes, e modeled as such). Such a fault is called a stuck-at ( or ) fault. Very efficient ATPG algorithms for stuck-at faults have een developed, which can e applied to Boolean function reasoning. Therefore, powerful formal verification techniques may e estalished using ATPG techniques. Thus, the purpose here is to show asic concepts and developments in ATPG so that the link of ATPG to formal verification algorithms ecomes evident. Figure.6 illustrates the steps involved in trying to generate a test pattern for a single stuck-at fault. In this example, the signal s is assumed to e under stuck-at- fault. To generate a test for s stuck-at-, we need to find a vector of primary inputs that sets signal s to (justification step) such that some primary output differs etween the good circuit and the faulty circuit (propagation step). As can e seen from the figure, the ATPG prolem is asically a sort of SAT prolem. We need to reason aout the values of signals ased on the constraints shown in the figure. Automatic test-pattern generation techniques have, however, their own historical developments rather independent from SAT method. Their algorithms and heuristics are mostly ased on logic-circuit structures and properties of logic gates. This means that techniques used in ATPG methods can e used in SAT methods and vice versa. One of the most important techniques in ATPG to speed up the test pattern generation processes is called learning. [7,8] As seen in the previous sections, the concept of learning is also utilized in SAT methods to make them much more efficient. Similar efficiency can e achieved in ATPG processes y learning implications of values of signals from the target circuits. Figure.7 shows an implication example. Suppose that input is. Owing to the nature of the AND gate, d and e also ecome. This implies that f is. In summary, we have an implication of values that ¼ implies f ¼. Please note that this implication process utilizes the functionality of AND and NOR gates. More learning can e made from this y using the law of contraposition,

10 Practical Design Verification M. Fujita that is, we can also conclude that f ¼ implies ¼. As can e seen from the figure, this learned implication is not so ovious. From f ¼ we cannot have fixed values for d and e, since what is required from f ¼ ond and e is that at least one of d and e must e, that is d ¼ ande ¼*(don tcare)ord ¼* ande ¼. There are two possile values for d and e, which means that further reasoning on values of signals is not straightforward. As can e seen from the example, y using the law of contraposition, many more implications can e otained, which will further enhance the ATPG processes. As the discussions aove on the circuits shown in Fig..7, iff ¼, there are several possile cases of values on d and e. As a result, no further simple implication of the values of signals can e made. On the other hand, in oth ATPG and SAT methods, reasoning is ased on case splitting and acktracking, and knowledge aout necessary assignments computed from learning processes is crucial for the numer of acktracks which must e performed. Backtracks occur if wrong decisions have een made, i.e., decisions considered wrong if they violate necessary assignments. Hence, it is important to realize that if all necessary assignments are known at every stage of the test-pattern generation process (or in general in all Boolean reasoning processes) acktracks can e avoided. Simple learning methods [7,8] cannot identify all necessary assignments, ased, as they are, on polynomial time-complexity algorithms. The prolem of identifying all necessary assignments is NP-complete and a method that guarantees identifying all necessary assignments must e exponential in time complexity. One such technique, which can identify all necessary assignments, is recursive learning. [9] It involves applying learning methods in a recursive way so that even if multiple cases happen when computing implications, all such cases are exhaustively analyzed. For example, let us consider the case of f ¼ in the circuit of Fig..7. In this case, there are two cases of values for d and e, i.e., d ¼ and e ¼* or d ¼* and e ¼. Recursive learning procedures analyze one case at a time and proceed the necessary assignment analysis in a recursive way. The two cases are shown in Figs..8 (a) and (), respectively. In (a), d ¼ implies a ¼ and ¼. In (), e ¼ implies ¼ and c ¼. The important point here is that in oth cases ¼. That is, is always. So we can conclude that f ¼ implies ¼ without using the law of contraposition. In this simple example, the same implication can also e otained y applying the law of contraposition to the implication otained in Fig..7. In general, however, much more learning can e otained with recursive learning techniques, especially if there are more recursions. The level of recursion is defined as the numer a d f a * d f c (a) e c * () e Figure.8 Two cases for f ¼ in the circuit of Fig..7